Computers can communicate with one another only when connected together using some form of a communications network. The Internet is one such network, which has grown extensively over the past decade, and has the distinct advantage of being able to connect computers together from anywhere in the world. Another type of communications network are local area networks (“LAN”), which are private networks that typically exist between only a few trusted computers, usually in an office or home. A further example of a computer communications network is a wide area network (“WAN”), which is usually used as a means of communications access to the Internet via a wireless radio protocol.
There are many possible reasons to want remote computers to join a LAN. A LAN itself is often secure, it may contain or have access to important corporate resources at the office, or access to one's personal media or data files in a residential setting. However, once a user attaches to a LAN via a direct Internet connection, the LAN is no longer secure. For this reason, the Virtual Private Network (“VPN”) was created. The VPN is software that appears to be another LAN adapter, but uses encryption technology and methods, and Internet connections, to bridge remote computers onto a local area network, without risk of directly connecting the LAN to the public and insecure Internet.
FIG. 1 illustrates a prior art classic Virtual Private Network 100. In such a network, predefined or rolling algorithms allow a secure connection between a computer 102 and a corporate server 116. This connection is made over any network 114, which may also be the Internet, with security managed by the VPN layer on the client 108 and the server 118. Any software clients 104 on the client computer 102 will see the VPN client 108 as a virtual network interface 106, appearing no different than the driver for a physical network interface 112. The VPN encapsulates all traffic sent to it as encrypted, private data, then sends it via a standard network interface and driver 110 to a physical network interface device 112, such as a Wi-Fi or Ethernet device.
The VPN data is secure over the unsecured network 114, using strong encryption. This type of encryption is superior to other standard forms of encryption, because even the structure of the data is hidden from any resource outside of the VPN. The classic VPN typically has pre-shared keys; an administrator will create encryption keys for each client computer 102, which are also known to the server 116. This prevents unauthorized users of the same VPN technology to connect, and it allows an administrator to de-authorize any given user. Some simple VPNs use only a single shared key for all connections.
The classic prior art VPN routes data to a server 116, which is also physically interfaced 112 to the external, insecure network 114. The server 116 communicates via an driver interface 110 to the server part of the VPN 118. It is only within this part of the system that the encrypted data is decrypted. In the classic VPN, the VPN server 118 is responsible for authenticating VPN clients 108. It will, of course, reply to said clients with encrypted packets, so the communication and traffic is encrypted in both signal directions and is two-way secure.
On the server 116, the VPN server 118 will also appear as a normal networking device to the server host operating system (“OS”), allowing access to the server's network software layer 110 and network software clients 104 within the server computer, and usually, out via a physical interface 112 to a secure corporate network 120.
The effect of the classic prior art VPN is that the remote client computer 104 behaves as if it is in the same building, connected to the secure corporate network 120, as the server 118 and other client computers 104. Yet, the data from the client 104 is secure, and the corporate network 120 is not subject to risk of attack via an open Internet 114 or other insecure connection. A big disadvantage of a classic VPN is its complexity of use. A network administrator is usually needed, to hand out keys, to manage firewalls, etc. Moreover, it is dependent on the central authority for all VPN certifications. Even in a business scenario, managing a VPN and keeping it functional for all remote users can be a complex and problematic task.
In response to these type of issues, and to enable simpler VPNs for home users, a new kind of VPN management has become popular. This new VPN eliminates some or all aspects of a single central server, replacing it with a central manager for VPN certifications, which will let VPN clients rendezvous with one another, but then, at least to some extent, run peer-to-peer as long as the VPN is operating. FIG. 2 illustrates an example prior art embodiment of this modified VPN 200, which has enjoyed some success as a personal VPN. In this architecture, there is no corporate intranet, simply clients 102 that wish to merge their local networks together via a VPN.
This network architecture still enlists a management server 202, but in this instance the server is only for management purposes. A client 102 will establish a connection to a web or similarly accessible front end 204, which will allow it to define a VPN connection and other clients. The web front end 204 informs the VPN Manager of the connection, and it proceeds to direct the clients to establishing a peer-to-peer, authenticated VPN connection.
Some VPNs designed this way will continue to route some traffic through the VPN Manager 206, while others drop the management interface entirely and leave the clients to operate entirely peer-to-peer.
Another limitation of the typical VPN user is the network itself. Some client devices may have multiple Internet connections: WAN, LAN, Wi-Fi, etc. But each of these connections are not necessarily useful at all times, particularly over the course of a day for a traveler. For example, while a Wi-Fi connection may be the best communication means at one location, a WAN may be better for signal transmission at a different location. It may be complex to switch the VPN from interface to interface, and there is usually no way to take advantage of the speed of multiple interfaces when they are available.
There is a history for using multiple physical interfaces and treating them as a single faster interface. This has historically been called “network bonding.” The use of a bonded set of slower physical interfaces 112 to create one large, virtual interface is fairly well documented. FIG. 3 shows a typical prior art bonded network interconnect 300. In this system, there is a computer 102 with client applications 104 and a network interface layer 106 that needs to be connected to the Internet or other fast network 114. However, it only has access to slow connections 304.
Using either a network layer or a device layer abstraction 302, such a system splits network traffic in some agreed-upon way over multiple point-to-point connections, such as phone lines, to a service provider 306. That service provider 306 contains a similar network layer or device layer 302, which can reassemble the traffic, delivering it to a standard network layer protocol 110, and ultimately, interfaced 112 to the target network 114. Examples of this type of architecture include the Integrated Services Digital Network (“ISDN”) standard, and various systems for bonding analog phone modems such as Microsoft Modem Bonding, FatPipe, and others.
To improve upon this prior art, a number of additional features can be built into a VPN system. A more flexible means of establishing the VPN connection, with the option of using readily available public resources and standards is a tangible advancement. Using standards allows the user a choice between public or private resources for this connection. A further goal of the inventive system is an even greater simplification of the VPN setup, and taking the need for a proprietary central server out of the system as a further improvement. A further objection and advancement is to establish a novel means by which the VPN can route through firewalls that can often hinder VPN use in the field. Yet another advancement allows dynamic use of any and all available interfaces, optimizing performance across all means of connection between two points on the VPN, and allowing rules to factor in the cost of any interface's use as well.
Based on the typical complexity of creating, establishing, and maintaining a VPN, there is plenty of room for improvement in this field. Specifically, a VPN can be created dynamically, without the need for expert configuration of the VPN, firewalls, routers, and other networking components. Coupling this with the ability to intelligently use all available bandwidth, and make the best of potentially faulty connections readily permits the ability to create a more ideal VPN for use by remote clients.